From: guido@trentalancia.net (Guido Trentalancia) Date: Wed, 26 Apr 2017 20:00:17 +0200 Subject: [refpolicy] [PATCH v2] locallogin: fix the sulogin submodule (emergency shell!) In-Reply-To: <20170426175826.GB23409@julius> References: <1492802281.4493.1.camel@trentalancia.net> <201704270220.27679.russell@coker.com.au> <201704270323.25612.russell@coker.com.au> <20170426175826.GB23409@julius> Message-ID: <1493229617.17296.1.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com This patch has already been submitted. Feel free to submit a patch to improve things as you say... On Wed, 26/04/2017 at 19.58 +0200, Dominick Grift via refpolicy wrote: > On Thu, Apr 27, 2017 at 03:23:25AM +1000, Russell Coker via refpolicy > wrote: > > On Thu, 27 Apr 2017 02:32:05 AM Guido Trentalancia via refpolicy > > wrote: > > > Unfortunately, your sulogin patch didn't work, so it was not just > > > a matter > > > of unneeded permissions! > > > > > > You can check by yourself that it was missing critical > > > permissions while > > > granting unneeded ones... > > > > It worked for me last time I tested it on Debian.??Maybe other > > distributions? > > need different permissions.??Maybe the Debian sulogin changed to > > require more? > > permissions since the last time I tested it.??But I don't submit > > policy based? > > on what I imagine programs might do, it's based on what I observe > > them doing. > > I can confirm that cap_dac_override and cap_sys_admin arent needed > for sulogin in debian stretch > > https://www.youtube.com/watch?v=NBj2W7yiu_c > > > > > > Also, I have already stressed out several times that getty should > > > probably > > > run without the sys_admin capability. They didn't want to change > > > it, I am > > > not going to tell that again.? > > > > As the previous discussion that I linked to showed there was a > > situation where? > > a character could be lost if that permission wasn't granted.??I > > expect that? > > getty could be changed to address that issue.??But I also recall > > that there? > > was another issue which I couldn't get the details of in 10 minutes > > of? > > Googling. > > > > > Feel free to submit your sys_admin capability patch for getty, > > > sulogin or > > > both. Consider, I have not tested other variations for sulogin, I > > > consider > > > the change of minor importance compared to this patch. > > > > As I have stated several times sulogin has a sole purpose of > > running a shell? > > with ultimate privileges and therefore I think that restricting > > it's access is? > > futile. Guido